One of the key changes introduced by the General Data Protection Regulation (GDPR) is the extended territorial scope of the regime. The GDPR seeks to apply European data protection standards and rights in a much more far-reaching manner than its predecessor legislation.
Non-EU organisations that offer goods or services into the EU or monitor the behaviour of data subjects within the EU may be directly caught within the scope of the new regulation under Article 3(2). This is a complex test despite the relatively short provision in the regulation and it has significant implications, so it is not surprising that many organisations are looking for further guidance from European authorities to help with their determination.
The implications for non-EU organisations include the requirement to appoint a representative as well as complying with the rest of the GDPR. Compliance can be complicated by the interplay between different laws - for example, where certain data processing may require consent under local law but may be justified by a different ground under the GDPR. Non-EU organisations also face the difficult choice of trying to segregate GDPR and non-GDPR data (where practicable) or applying higher standards of data protection across the board (which may lead to the granting of substantial rights to individuals beyond the requirements of local law).
How the European data protection authorities will monitor the GDPR compliance of non-EU organisations remains to be seen and it will also be interesting to see how both administrative fines and compensation claims are enforced outside the EU.